Bug 1330533 - Remove argc/argv arguments to XRE_LibFuzzerSetMain. r=decoder
authorMike Hommey <mh+mozilla@glandium.org>
Thu, 12 Jan 2017 11:59:37 +0900
changeset 377574 7d3a760bda8f25c469e06081dd9cc9189e32f6bb
parent 377557 516551993d16fb186abb4469ef5eba9f88e91b9b
child 377575 b22cd126ae14dd01ced45406664bbff4394ec3fe
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdecoder
bugs1330533
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1330533 - Remove argc/argv arguments to XRE_LibFuzzerSetMain. r=decoder The function given to XRE_LibFuzzerSetMain is called from somewhere that does have access to argc/argv already, so we can avoid passing them to XRE_LibFuzzerSetMain. This actually might fix subtle issues with argc/argv not really matching reality when calling the LibFuzzerMain function in the current code: some arguments are handled before the call, and both argc and argv are modified from within XRE_main, but the values stored for the LibFuzzerMain call still are the original ones. Argv being a pointer, and it not being reallocated, the value stored for the LibFuzzerMain call points to the changed one, but argc, being an integer, is not modified accordingly. In fact, it's actually worse, because while the Gecko code doesn't reallocate argv, gtk_main might. So if some GTK flag is passed on the command line, there's also a possibility that the LibFuzzerMain function will do a use-after-free. So all in all, it's just better to use the set of modified argc/argv from XRE_main instead of storing them from main().
browser/app/nsBrowserApp.cpp
toolkit/xre/Bootstrap.cpp
toolkit/xre/Bootstrap.h
toolkit/xre/nsAppRunner.cpp
tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.cpp
tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.h
xpcom/build/nsXULAppAPI.h
--- a/browser/app/nsBrowserApp.cpp
+++ b/browser/app/nsBrowserApp.cpp
@@ -230,17 +230,17 @@ static int do_main(int argc, char* argv[
     return 255;
   }
 #endif
   config.sandboxBrokerServices = brokerServices;
 #endif
 
 #ifdef LIBFUZZER
   if (getenv("LIBFUZZER"))
-    gBootstrap->XRE_LibFuzzerSetMain(argc, argv, libfuzzer_main);
+    gBootstrap->XRE_LibFuzzerSetMain(libfuzzer_main);
 #endif
 
   return gBootstrap->XRE_main(argc, argv, config);
 }
 
 static bool
 FileExists(const char *path)
 {
--- a/toolkit/xre/Bootstrap.cpp
+++ b/toolkit/xre/Bootstrap.cpp
@@ -75,18 +75,18 @@ public:
   }
 
   virtual void XRE_SetAndroidChildFds(int aCrashFd, int aIPCFd) override {
     ::XRE_SetAndroidChildFds(aCrashFd, aIPCFd);
   }
 #endif
 
 #ifdef LIBFUZZER
-  virtual void XRE_LibFuzzerSetMain(int argc, char** argv, LibFuzzerMain aMain) override {
-    ::XRE_LibFuzzerSetMain(argc, argv, aMain);
+  virtual void XRE_LibFuzzerSetMain(LibFuzzerMain aMain) override {
+    ::XRE_LibFuzzerSetMain(aMain);
   }
 
   virtual void XRE_LibFuzzerGetFuncs(const char* aModuleName, LibFuzzerInitFunc* aInitFunc, LibFuzzerTestingFunc* aTestingFunc) override {
     ::XRE_LibFuzzerGetFuncs(aModuleName, aInitFunc, aTestingFunc);
   }
 #endif
 
 #ifdef MOZ_IPDL_TESTS
--- a/toolkit/xre/Bootstrap.h
+++ b/toolkit/xre/Bootstrap.h
@@ -105,17 +105,17 @@ public:
 
 #ifdef MOZ_WIDGET_ANDROID
   virtual void GeckoStart(JNIEnv* aEnv, char** argv, int argc, const StaticXREAppData& aAppData) = 0;
 
   virtual void XRE_SetAndroidChildFds(int aCrashFd, int aIPCFd) = 0;
 #endif
 
 #ifdef LIBFUZZER
-  virtual void XRE_LibFuzzerSetMain(int argc, char** argv, LibFuzzerMain aMain) = 0;
+  virtual void XRE_LibFuzzerSetMain(LibFuzzerMain aMain) = 0;
 
   virtual void XRE_LibFuzzerGetFuncs(const char* aModuleName, LibFuzzerInitFunc* aInitFunc, LibFuzzerTestingFunc* aTestingFunc) = 0;
 #endif
 
 #ifdef MOZ_IPDL_TESTS
   virtual int XRE_RunIPDLTest(int argc, char **argv) = 0;
 #endif
 };
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@@ -267,18 +267,18 @@ extern "C" MFBT_API bool IsSignalHandlin
 
 #ifdef LIBFUZZER
 #include "LibFuzzerRunner.h"
 
 namespace mozilla {
 LibFuzzerRunner* libFuzzerRunner = 0;
 } // namespace mozilla
 
-void XRE_LibFuzzerSetMain(int argc, char** argv, LibFuzzerMain main) {
-  mozilla::libFuzzerRunner->setParams(argc, argv, main);
+void XRE_LibFuzzerSetMain(LibFuzzerMain main) {
+  mozilla::libFuzzerRunner->setParams(main);
 }
 #endif
 
 namespace mozilla {
 int (*RunGTest)(int*, char**) = 0;
 } // namespace mozilla
 
 using namespace mozilla;
@@ -3719,17 +3719,17 @@ XREMain::XRE_mainStartup(bool* aExitFlag
   // opens.
   if (!gtk_parse_args(&gArgc, &gArgv))
     return 1;
 #endif /* MOZ_WIDGET_GTK */
 
 #ifdef LIBFUZZER
   if (PR_GetEnv("LIBFUZZER")) {
     *aExitFlag = true;
-    return mozilla::libFuzzerRunner->Run();
+    return mozilla::libFuzzerRunner->Run(gArgc, gArgv);
   }
 #endif
 
   if (PR_GetEnv("MOZ_RUN_GTEST")) {
     int result;
 #ifdef XP_WIN
     UseParentConsole();
 #endif
--- a/tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.cpp
+++ b/tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.cpp
@@ -17,22 +17,20 @@ namespace mozilla {
 // we want to call into LibFuzzer's main.
 class _InitLibFuzzer {
 public:
   _InitLibFuzzer() {
     libFuzzerRunner = new LibFuzzerRunner();
   }
 } InitLibFuzzer;
 
-int LibFuzzerRunner::Run() {
+int LibFuzzerRunner::Run(int argc, char** argv) {
   ScopedXPCOM xpcom("LibFuzzer");
-  return mFuzzerMain(mArgc, mArgv);
+  return mFuzzerMain(argc, argv);
 }
 
 typedef int(*LibFuzzerMain)(int, char**);
 
-void LibFuzzerRunner::setParams(int argc, char** argv, LibFuzzerMain main) {
-  mArgc = argc;
-  mArgv = argv;
+void LibFuzzerRunner::setParams(LibFuzzerMain main) {
   mFuzzerMain = main;
 }
 
 } // namespace mozilla
--- a/tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.h
+++ b/tools/fuzzing/libfuzzer/harness/LibFuzzerRunner.h
@@ -4,20 +4,18 @@
  * * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 namespace mozilla {
 
 typedef int(*LibFuzzerMain)(int, char**);
 
 class LibFuzzerRunner {
 public:
-  int Run();
-  void setParams(int argc, char** argv, LibFuzzerMain main);
+  int Run(int argc, char** argv);
+  void setParams(LibFuzzerMain main);
 
 private:
-  int mArgc;
-  char** mArgv;
   LibFuzzerMain mFuzzerMain;
 };
 
 extern LibFuzzerRunner* libFuzzerRunner;
 
 } // namespace mozilla
--- a/xpcom/build/nsXULAppAPI.h
+++ b/xpcom/build/nsXULAppAPI.h
@@ -510,16 +510,16 @@ XRE_API(void,
         XRE_GlibInit, ())
 #endif
 
 
 #ifdef LIBFUZZER
 #include "LibFuzzerRegistry.h"
 
 XRE_API(void,
-        XRE_LibFuzzerSetMain, (int, char**, LibFuzzerMain))
+        XRE_LibFuzzerSetMain, (LibFuzzerMain))
 
 XRE_API(void,
         XRE_LibFuzzerGetFuncs, (const char*, LibFuzzerInitFunc*,
                                 LibFuzzerTestingFunc*))
 #endif // LIBFUZZER
 
 #endif // _nsXULAppAPI_h__